C++ Confidential Container

C++-SGX: C++ Con­fi­den­tial Com­pute Container

enclaive deliv­ers a con­fi­den­tial com­pute vari­ant of C++, called C++-SGX. This vari­ant runs in Intel SGX enclaves. Intel Secu­ri­ty Guard Exten­sion (SGX) deliv­ers advanced hard­ware and RAM secu­ri­ty encryp­tion fea­tures, so-called enclaves, to iso­late code and data that are spe­cif­ic to each appli­ca­tion. When data and appli­ca­tion code run in an enclave addi­tion­al secu­ri­ty, pri­va­cy, and trust guar­an­tees are giv­en, mak­ing the con­tain­er an ide­al choice for (untrust­ed) cloud environments.

Why C++-SGX images?

Fol­low­ing ben­e­fits come with C++-SGX :

• con­fi­den­tial com­pute ready
• con­tain­er escape pro­tec­tion through hard­ware-grad­ed security
• con­tain­er images are released on a reg­u­lar basis with the lat­est dis­tri­b­u­tion pack­ages available
• images use the same com­po­nents and con­fig­u­ra­tion approach — mak­ing it easy to switch between for­mats based on your project needs
• com­pat­i­ble with DevOps best prac­tices (e.g., Dock­er, Dock­er Swarm, Kubernetes)

Fea­tures

• con­tain­er-in-use encryp­tion and authentication
• encrypt­ed and authen­ti­cat­ed volume/files
• remote­ly authenticable
• con­fi­den­tial key man­age­ment and provisioning

Pre­req­ui­sites

• Dock­er Engine 20.1.0 or later
• Dock­er com­pose plu­g­in is recommended
• Intel SGXv2/x86 archi­tec­ture or later